[syslog-ng] Rewrite facility names of remote logs

Steve Smith ssmith at xpressdocs.com
Fri Mar 25 18:49:30 CET 2011


I'm actually writing logs out to syslog as local6 facility using log4j. Then using rsyslog, I am forwarding those logs to the syslog-ng server using 'local6.* @centrallogserverhost'. So when syslog-ng receives those logs, it writes them out to a file named local5.$DAY according to my destination configuration. So, I don't know that $PROGRAM would accurately record the name. Will give it a shot and see.



-----Original Message-----
From: Martin Holste [mcholste at gmail.com]
Received: Friday, 25 Mar 2011, 12:21pm
To: Syslog-ng users' and developers' mailing list [syslog-ng at lists.balabit.hu]
CC: Steve Smith [ssmith at xpressdocs.com]
Subject: Re: [syslog-ng] Rewrite facility names of remote logs

Is "tomcat" the $PROGRAM or the $FACILITY name?  I would think it
would be $PROGRAM like "ssh" or "apache."

On Fri, Mar 25, 2011 at 9:44 AM, Steve Smith <ssmith at xpressdocs.com> wrote:
> I’ve setup Syslog-NG to receive logs from other servers which have been
> configured as follows -
> Tomcat servers are forwarding logs as facility6 to rsyslog, which then
> forwards to central log server.
> Apache servers are forwarding logs as faility5 to rsyslog which then
> forwards to central log server.
>
> When I receive these logs on the central log server, they are written to
> files as their facility name, i.e. local6.$DAY.
> Is there a way to change or re-write the facility name on the fly so that
> instead of local6.$DAY I can get the file written as tomcat.$DAY?
>
> Here is the configuration I’m using to store the logs -
>
> destination d_net {
>     file("/var/log/hosts/$YEAR/$MONTH/$HOST/$FACILITY.$DAY"
>         owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
>     );
> };
>
> log {
>     source(s_net);
>     destination(d_net);
> };
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110325/dc5a95d3/attachment.htm 


More information about the syslog-ng mailing list